This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
This article describes virtual private network and its current technologies which are used to enable better security for organization data while communicates over public network in private channel. VPN is a secure way for communication and it is cost effective. This article presents basic concepts of VPN and its types. Different types of VPN protocols which are used to build VPN. This article gives comprehensive overview of VPN. Internet protocol security (IP sec) enables higher security for VPN than other protocols so this article describes more about IP sec protocol. Finally it describes VPN implementation in organization.
Organization uses internet for its data exchange. Internet is a successive way for file transfer locally, countrywide and internationally. But it is expensive because it uses leased line for communication and also it is less secure. The attackers easily tamper the information while communication takes place via public network. VPN connects different network components with other network using tunnel. VPN establishes secure connection between sender and receiver. VPN uses many protocols for security purpose such as IP sec, point-to-point tunnelling protocol (PPTP) and layer-2-tunneling protocol (L2TP). PPTP and L2TP have some drawbacks in data confidentiality because it doesn't encrypt packets. IP sec provides data confidentiality. IP sec is a popular protocol in VPN security. Without encryption making VPN is not possible for secure communication but without firewall is possible. In this article section II describes about basic concepts of VPN and its structure. Section III describes types of VPN such as remote access, intranet and extranet. Section IV describes major VPN protocols such as PPTP, L2TP and IP sec. Section V describes security technologies for VPN such as tunnelling, encryption, packet authentication and user authentication. Section VI describes VPN implementation in organization.
Virtual private network (VPN) is a network. It connects different network components to another network. VPN connects the user who works at home and while travels, makes secure connection to their organization server via public network. VPN enables point-to-point connection between user and organization server. Also enterprises and their business partners can communicate with each other securely with the help of VPN through public network. Mostly the public network is internet. To communicate with other network VPN establishes tunnel for the user via public network. Normally while communicates via public network the attacker easily observe or hack the information. VPN provides data integrity, data confidentiality and data authentication. It supports cryptographic technique encryption for data security. Without firewall creating VPN is possible but without encryption technique making secure VPN is not possible. So cryptography plays a major role in VPN. Once a tunnel is created the user can transmit and receive data transparently. The following diagram shows the basic structure of VPN. [Odiyo, 2006]
Fig-1-how virtual private network works. [Odiyo, 2006]
Here the mobile worker, business partner, remote office and home office communicate with the main office by VPN. The blue circle is router. The mobile user and home office communicates with the help of post office protocol (POP). [Odiyo, 2006]
Types of VPN:
VPN provides services to the user locally, countrywide and internationally. VPN extends its services worldwide. So based on this it classified into three categories, [lam, 2002].
Remote access VPN:
It is the connection between mobile employee and their main organization server. It is also called virtual private dial-up network (VPDN). Here VPN enables secure communication between mobile employee and organization private network. It is a point to point connection.
It is the connection between two local area network (LAN) which available in organization. VPN enables secure connection between two branch offices to communicate with each other. It is also called site-to-site connection.
It is the connection between organization and its customers, suppliers and partners. It is also one type of site-to-site connection. VPN enables secure path to communicate with each other.
Protocol is a set of rules which is used to govern the network. There are three most popular protocols are used to establish VPN network. The protocols are given below,
Point-to-point tunnelling protocol (PPTP)
Layer-2-tunneling protocol (L2TP)
Information security protocol (IP sec)
In these three protocols IP sec enables higher security for VPN compare than other two protocols. Let's discuss about these three protocols.
point-to-point tunnelling protocol (PPTP):
It supports non internet protocol (IP). Non IP protocols are synchronous optical networking (SONET) and asynchronous transfer mode (ATM). PPTP processes three major steps to establish secure connection between client and server. The steps are given below,
Point-to-point protocol (PPP) establishes connection between mobile employee and internet service provider (ISP) access point. PPP protocol encrypts packet with this connection.
Using the PPP protocol connection PPTP creates transmission control protocol (TCP) connection between mobile employee and organization server over ISP. This connection is called tunnel.
The PPTP protocol creates encrypted packets which contains IP datagram and sends it to PPTP server. The PPTP server receives the packet and decrypts it and gets the original information. Then pass this original information to private network in the organization.
The following diagram shows these three steps process clearly,
Fig-2-PPTP entire process.[ http://technet.microsoft.com/en-us/library/cc768084.aspx#, [accessed 15.04.2010].
The following diagram shows the PPTP packets which contains user data,
Fig-3-PPTP Packet,[http://technet.microsoft.com/en-us/library/cc768084.aspx#, [accessed 15.04.2010].
Disadvantages, Eavesdroppers can observe the password with the help of password hacking algorithm. Sometimes unauthenticated messages can crash the PPTP server.
Layer-2-tunneling protocol (L2TP):
L2TP protocol is created to improve PPTP performance. L2TP contains the features of PPTP and layer-2-forwarding protocol (L2F). PPTP is created by Microsoft and L2F is supported by CISCO. It is also supports non IP protocols based VPN. It is the main advantage for both PPTP and L2TP. But it also has the same drawbacks which has PPTP. It works in layer 2 data link layer so it is called as L2TP. L2TP uses user datagram protocol (UDP) for tunnel maintenance and to send encapsulated PPP protocol frames. The following diagram shows the L2TP frame structure which contains user data.
Fig-4-L2TP packet,[http://technet.microsoft.com/en-us/library/cc958047.aspx, [accessed 15.04.2010].
PPP payload contains IP, internet packet exchange (IPX) and net BIOS extended user interface (NetBEUI). BIOS mean basic input/output system.
Internet protocol security (IP sec):
It supports packet level security and it is created by internet engineering task force (IETF). IP sec creates architecture in the IP protocol to enable more security in VPN. It supports interoperability, data authentication, data confidentiality and data integrity. Two major protocols are used to build IP sec. The protocols are authentication header (AH), encapsulating security payload (ESP). Both protocols work in two types of mode tunnel mode and transport mode.
AH provides data integrity and data authentication. It encapsulates IP header and AH header with original IP packet. AH places AH header after IP header. It does not encrypt packets. So it does not provide data confidentiality. The following diagram shows the AH packet format.
Fig-5-AH packet, http://technet.microsoft.com/en-us/library/cc768084.aspx#, [accessed 16.04.2010].
Encapsulating security payload (ESP):
ESP encapsulates ESP header next to IP header with original IP packet. It also encapsulates new IP header and ESP trailer with original IP packet. ESP encrypts the packet so it provides data confidentiality. The following diagram shows the ESP packet format.
Fig-6-ESP packet, http://technet.microsoft.com/en-us/library/cc768084.aspx#, [accessed 16.04.2010].
The encrypted portion of packet indicates the confidentiality of information. IP sec uses ESP for better security.
VPN should support following techniques to secure data from unauthorized user who tries to access network resources and information. And also third party user tries to observes and tampers original information while communicate via public network. IP sec protocol enables more security for VPN compare than other protocols. This article concentrates much on IP sec protocol. The techniques are given below,
Authentication of packet
Authentication of user
These four capabilities provide security for VPN. Let's describe about these protocols. [Wright, 2000].
The first technique for VPN is tunnelling. Here the packets are transmit and receive via public network in private tunnel. It creates point-to-point connection between source and destination. Tunnel creates many channels in the same infrastructure to travels data from different sources. Tunnel differentiates data from different sources so that it reaches exact destination. VPN uses common networking technique. The remote access employee transmits point-to-point protocol packets to its server. In the same way branch office router on the LAN transmits PPP packets to another branch office router. Here VPN differentiates transmit PPP packets in tunnel via public network not through leased line. Usually the tunnels created between source and destination over public network. Tunnel starts from internet access point and ends with tunnel terminating device in the destination side. Usually the public network is internet. Example, remote access is initiated by the employee to a network access point. Then the internet service provider (ISP) verifies the employee and creates path via its network. This path ends at the organization LAN. [Wright, 2000].
It is cryptographic technique used in VPN to provide security. The sender encrypts plain text and converted it into cipher text then it sends to the receiver. This is called as encryption. The receiver receives the cipher text and decrypts it then gets the plain text. This is called as decryption. These encryption and decryption technique are important for security. To process encryption the sender and receiver must agree with the cryptographic agreements with each other. Agreements are about keys which are used for encryption. IP sec groups these agreements in security authentication (SA). Either sender or receiver has SA it supports one way secure communication. Provide two-way secure communication between sender and receiver must required two SA. The SA in IP sec indicates the following,
SA specifies authentication algorithm in authentication header.
It specifies encryption algorithm used in ESP.
Authenticate communications between sender and receiver end and uses keys, authentication algorithm and encryption algorithm to encrypt communication.
SA specifies keys and its lifetime and changes as well as SAs lifetime and source address. [Wright, 2000].
Encrypting security payload (ESP):
ESP is important for data encryption. It inserts ESP header between IP header and IP packet. ESP header contains security parameter index (SPI) and sequence number. SPI indicates correct SA to the receiver to decrypt packets accordingly. The sequence number increases its count at each time when the packet with same SPI sends to same destination. This identifies that the number of packets send to the same destination. The sequence number is useful to avoid replay attacks. The attacker confuses sender and receiver communication doing copies packets and sends these packets out of sequence. This is called as replay attack. ESP always uses data encryption standard (DES) algorithm for encryption. ESP header also has checksum for authentication. It is calculated after encryption is completed. ESP works in two mode transport mode and tunnel mode. In transport mode it encrypts only original IP packets. It does not encrypt IP header so the hacker easily can observe source and destination address. In tunnel mode it encrypts the entire packet and encapsulates new IP header with that to identify sender and receiver. [Wright, 2000].
Management of keys for encryption:
IP sec has two types of key management for encryption manual key exchange and internet key exchange. Manual key exchange is end to end key exchange that is sending keys via e-mail or courier. Less number of sites can use manual key exchange. Internet key exchange protocol (IKE) is used by internet key exchange to create keys for SAs. It is also called as automated key exchange. Oakley key determination protocol and internet security association key management protocol (ISAKMP) forms the IKE. ISAKMP establishes packet format and procedure with the help of Oakley key determination. SAs manage part of the key exchange which relates to security procedure. IKE specifies the following,
It uses hash algorithm and encryption algorithm for reduce information and protect information respectively.
IKE authenticates user data.
Fig-7- security association, http://technet.microsoft.com/en-us/library/cc768084.aspx#, [Accessed 16.04.2010].
Authentication of packets:
The AH in IP sec provides authentication and integrity for packets. Integrity avoids packet changes by attacker while communication. Authentication avoids replay attacks and IP spoofing. It authenticates destination end to receive packets. AH inserts AH header in between IP packet and IP header. AH header contains SPI which specifies the correct SA to receiver to receive packets. AH authenticates the entire packet including outside IP header so it differs from ESP authentication. With the help of HMAC-SHA-1 and HMAC-MD5 hash algorithms the SPI creates authentication data in AH header. AH also works in two modes: transport mode and tunnel mode. In transport mode it authenticates only original IP header and IP packet. In tunnel mode it authenticates the whole packet. [Wright, 2000].
Authentication of user:
VPN must authenticate the user to access organization resources so that the third party can't access the resource. VPN enables user authentication using the following three protocols. Protocols are password authentication protocol (PAP), challenge handshake authentication protocol (CHAP) and remote authentication dial in user service (RADIUS). Let's discuss about these protocols, [Wright, 2000].
Password authentication protocol PAP):
PAP is a simple protocol used to authenticate one user itself to another user. After point-to-point protocol (PPP) connection establishes between users one user sends it username and password to authenticator. It either accepts the request or terminates the connection. It is a two-way hand shake protocol. It is not a secure protocol for authentication because it clearly sends username and password over public network for authentication. So the attacker easily guesses the username and password. [Wright, 2000].
Challenge hand shake authentication (CHAP):
CHAP is a three-way hand shaking protocol. It is a secure protocol for authentication than PAP. It processes three steps for authentication.
The user sends request message to authenticator for login.
The authenticator sends 8-byte challenge message back to the user.
The user calculates the answer for challenge message using one way hash function. Then sends the answer message to authenticator.
The authenticator verifies the value with its value if it matches then the authenticator giver authentication to the user. If it not matches with its value then it terminates the connection.
CHAP does not allow the attacker to login repeatedly. Anyway PAP and CHAP has the same disadvantage. Both protocol based on username and password. So we must store username and password in remote computer or desktop computer but both undergoes to attacker control then they easily hack username and password. [Wright, 2000].
Remote authentication dial in user service (RADIUS):
It is similar to client server model. It uses network access server (NAS) to access user authentication request. It creates username and password then encrypts it and sends to RADIUS server securely. The RADIUS server replies with either approved or denied information to the NAS. Also with some additional configuration information which is useful for the user. RADIUS server manages the control to provide authentication to the users. [Wright, 2000].
VPN implementation in organization:
In organization talks about VPN extension it is easy but when considering security threats it arises many problems. Depends upon where the VPN is used. Some examples are,
The organization uses VPN within its network to protect data. Here the problems are very small.
The organization extends the VPN to communicate with other remote part organization. Here some different problems emerge.
The organization extends VPN to communicate with their partners, suppliers and customers. Here the complex set of problem arises.
The organization allows all remote employees to access organization resources. Here some relatively high range of problem arises.
So before implements or extends VPN in organization better plan is must. It is time consuming process but it is very important in the problem view. [Broderick, 2001].
VPN is a technology used to communicate with other network over internet. It uses encryption, tunnelling, data authentication and user authentication for secure communication from one network to another network. it is end-to-end connection. Past few years development of VPN technologies are increasing considerably. Many organizations are developing hardware solutions as well as software solutions for VPN. Many organizations started doing with VPN because of VPN cost effective and its scalable.VPN communicates over public network so the consideration of security is important. So still the communication via public network with VPN is not trusted. Now the development of VPN is with only internet. But still VPN need lot of developments with other public networks.
I am thankful to Dr. Luke Hebbes for giving me an opportunity to explore the topic of virtual private networks (VPN). I would also like to thank my parents & friends for their valuable feedbacks and support. Also I would like to acknowledge & thank the researchers whose work is referenced in this paper and through which I could build and successfully complete my research.